ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] ISSUE 1519: SSP-01 Unnecessary constraint on i= when asserting "strict"// edits

2007-12-05 18:25:01
from [Jim Fenton] [Permanent Link] 
Douglas Otis wrote:

dkim-ssp-01 edits to avoid unnecessary constraint on i=

====
Was:
1. Introduction
...
   In the absence of a valid DKIM signature on behalf of the "From"
   address [RFC2822],..

Change to:
  In the absence of a valid DKIM signature on behalf of the "From"
  address [RFC2822] domain,..


It has been pointed out that the Introduction is not the place for
normative language, but wherever this sentence ends up, it would tell
the verifier to skip the SSP check on the basis of a domain match
alone.  This means that someone signing with a key that has a g=
constraint could tell the verifier to bypass the SSP check for any
message in the domain, not just the From address[es] that the signer is
authorized to sign for.  This would create a new security vulnerability.



====

Was:
2.8. Originator Signature

   An "Originator Signature" is any Valid Signature where the signing
   address (listed in the "i=" tag if present, otherwise its default
   value, consisting of the null address, representing an unknown user,
   followed by "@", followed by the value of the "d=" tag) matches the
   Originator Address.  If the signing address does not include a local-
   part, then only the domains must match; otherwise, the two addresses
   must be identical.

Change to:
2.8. Originator Signature

   An "Originator Signature" is any Valid Signature where the d= tag
   matches or is within the Originator Domain (the domain of the first
   From email-address).  In addition, when a key is restricted by its
   g= tag, the signature MUST BE valid for the Originator Address (the
   first From email-address).


As far as I can tell, the only difference between these statements
occurs when the signer has an unrestricted key and decides to apply a
local-part to the i= tag even though it is not required.  I don't think
this is an important case to consider; they could easily apply the From
address's local-part if they want.

-Jim

====

_______________________________________________
NOTE WELL: This list operates according
tohttp://mipassoc.org/dkim/ietf-list-rules.html


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] Issue #1512: Re: making SSP useless in one short step, Jim Fenton
Next by Date:  Re: [ietf-dkim] Draft summary of SSP functionality, Jim Fenton
Previous by Thread:  [ietf-dkim] ISSUE: SSP-01 Unnecessary constraint on i= when asserting "strict"// edits, Douglas Otis
Next by Thread:  [ietf-dkim] [psg.com #1519] [Comment] SSP-01 Unnecessary constraint on i= when asserting "strict" // correction, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]